network security group
Post on 11-Feb-2022
1 Views
Preview:
TRANSCRIPT
Attacking LEO satellite networksGiacomo Giuliari, Tommaso Ciussani, Adrian Perrig, Ankit SinglaETH Zurich10 June 2021, USENIX ATC 21
Network Security Group
How is this achieved? The network model
• Uplinks and downlinks− Can serve multiple hosts− 4 Gbps upload for each uplink− Reconfigure as satellites move
• Inter-satellite links− Can carry up to 20 Gbps− High-capacity network in space
• Low latency advantages− The speed of light in vacuum is 50% faster than
in fiber− Paths over ISL are straighter than fibers
10.06.2021Network Security Group 3
SpaceX Starlink Shell 1
Global coverage
Low latency
10.06.2021Network Security Group 4
FinTech
Remote AR
Cloud gaming
Remote surgery
Not just rural areas!
This tremendous potential generates great interest around LSNs…
10.06.2021Network Security Group 5
How can they disrupt an LSN?…an interest shared by adversaries
The ICARUS attack
• Adversarial goal: disrupt communication between hosts over the satellite network
• We do not consider known attacks− Jamming uplinks and downlinks− Attacks on weak (inexistent) encryption
• Adversaries can exploit LSN characteristics− In this presentation: attacks on ISLs− High disruptive power many flows use
the same ISL
6
Uplink
Downlink
ISLs
Target
10.06.2021Network Security Group
Starting point: the Coremelt DDoS attack
• Instead of attacking a specific end host, we attack a network link− Flows between different src-dst pairs− Flows imitate legitimate traffic− “There is no victim”
10.06.2021Network Security Group 7
High resilience to detection
Can Coremelt be applied to LSNs?
#1: Space-based low-latency network ⇨ Predictability
10.06.2021Network Security Group 8
• “White Box” network− Public satellite positions− Public satellite designs
• Advance topology computation with low error− < 2km / day
• Routing policy can be discovered− Latency measurements +
topology knowledge− Single or multi-path
#2: Global access ⇨ DDoS attack stealthiness
• Remote areas are connected− Increased scatter of attack sources− Millions of terminals available for compromise
• Every satellite is an entry point to the network− No distinction between border routers and
backbone routers − Increased attack surface
• The adversary knows bot location (GNSS)
10.06.2021Network Security Group 9
• For a successful attack the adversary only needs to “delay” packets for long enough!• The adversary needs to:
− Congest the forwarding path− Create buffering delay on satellites
• Even if alternative paths are still available, the adversary is successful
#3: Low-latency/higher cost ⇨ Tight operation margins
• There is a combinatorically high number of paths between two satellites in the LSN
• BUT High-paying customers require low-latency and bounded jitter• Of the many paths, the LSN operator can only use desirable (low-latency) paths
10.06.2021Network Security Group 10
ICARUS: Attack mechanism
• Send traffic flows through the target link using:1. Public knowledge of LSN topology2. Distributed access points3. Knowledge of routing
• Attack metrics:− Cost = # bots needed− Detectability = max # bots on an uplink
1110.06.2021Network Security Group
Effective attack ↔ low metrics
Satellite routing: in the paper…
10.06.2021Network Security Group 12
Single-shortest path routing
Disconnect regions
Load-balanced routing
Attacks worsenedby satellite dynamics?12 paths, 3 bottlenecks
Low costLow detectability
Same as single-linkattacks
Cost-detectability trade-off
… maybe?
Load balancing over satellite paths
Path chosen at random at forwarding time from the load-balancing set
10.06.2021Network Security Group 13
Source
Destination
Load-balancing design space
10.06.2021Network Security Group 14
Ideal:Low latencyHigh bandwidth
Path Performance(wrt shortest-path
latency)
Path Diversity(path overlap)
LOW HIGH
LOW
HIGH
Load-balancing design space
10.06.2021Network Security Group 15
Ideal:Low latencyHigh bandwidth
Low diversity
Target ISL
Path Performance(wrt shortest-path
latency)
Path Diversity(path overlap)
LOW HIGH
LOW
HIGH
Load-balancing design space
10.06.2021Network Security Group 16
Ideal:Low latencyHigh bandwidth
High diversity
Target ISLPath
Performance(wrt shortest-path
latency)
Path Diversity(path overlap)
LOW HIGH
LOW
HIGH
Load-balancing design space
10.06.2021Network Security Group 17
Ideal:Low latencyHigh bandwidth
Path Performance(wrt shortest-path
latency)
Path Diversity(path overlap)
LOW HIGH
LOW
HIGH
Load-balancing design space
10.06.2021Network Security Group 18
Ideal:Low latencyHigh bandwidth
Path Performance(wrt shortest-path
latency)
Path Diversity(path overlap)
LOW HIGH
LOW
HIGH
Trade-off for the adversary:
low cost OR low detectability
Load-balancing effect on attacks
10.06.2021Network Security Group 19
Path Performance(wrt shortest-path
latency)
Path Diversity(path overlap)
LOW HIGH
LOW
HIGHSame as single-
shortest path!
Probabilistic ICARUS detectability optimization
• Cost: 3.5 times the median single-shortest path attack cost
• Detectability: half of the median single-shortest path attack detectability
2010.06.2021Network Security Group
Mitigations
10.06.2021Network Security Group 21
Traditional:
Attack and legitimate flows cannot be distinguished
• Traceback systems• Traffic filtering• Cloud DDoS protection
LSN-oriented:
• Resilient routing
• Improved topology design
• Increase attack cost/detectability without increasing latency
Conclusions & Contributions
10.06.2021Network Security Group 22
• LSN network attacks are a threat• Different network characteristics• Advantages and disadvantages for defense
• ICARUS is powerful• ~100% path attack success rate• Low median cost and detectability
• Defense not trivial• Attack flows not distinguishable• Even with load balancing:
path diversity and attack resilience ⟶ latency increase
• Future outlook• Attack:
• Exploit network dynamics• Defense:
Explore resilient load-balancing policiesExplore strong topology designs
Thank You!Giacomo Giuliari
giacomog@inf.ethz.ch
• Evaluation framework for future researchgithub.com/giacgiuliari/icarus-framework
top related